I am collecting Sysmon logs via Splunk UF in XML format (renderXml=true). I need to forward some specific Sysmon events to QRadar without XML formatting. I would like to keep sending all Sysmon events in XML format to Splunk.
I tried to make two different stanzas in inputs.conf trying to ingest the same log in two different ways but it does not seem to work.
It looks like Splunk merge these two together in runtime.
The idea was to filter non-XML events on HF by using props.conf, transforms.conf and _SYSLOG_ROUTING to send it to QRadar.
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0
renderXml = true
index = sysmon
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0
renderXml = false
index = sysmon
whitelist = 1,22
... View more